Marcelo de Moraes Serpa
2009-Oct-13 16:20 UTC
config.action_controller.session[:secret] vs protect_from_forgery :secret
What I want to do is share the same session across many Rails applications.
All of them are using Rails 2.2.2. I know that, to share the session,
it''s
(supposedly) just a matter of sharing the same key and secret among the
apps, like this:
config.action_controller.session = {
:session_key => ''_apps_session'',
:secret =>
''71b94f37789bbedf9062616218dab005f2ffae65de2cac6313423a70eeff07189c7694d71d5fc0996''
}
This being put in config/environment.rb of all the apps you want the session
to be share with.
Now, some of the apps are returning in the HTTP response a session id
(_apps_session=big number) that is different, even though they have the same
session_key and secret.
One thing that I noted, though, is that these apps are also providing a
:secret to protect_from_forgery, and the number is different from the number
passed to the :secret on config.action_controller.session[:secret].
What I would like to know is, if I''m setting the secret in
config.action_controller.session, do I need to pass it to
protect_from_forgery? Or are they secrets of different nature?
Thanks,
Marcelo.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
Frederick Cheung
2009-Oct-13 17:32 UTC
Re: config.action_controller.session[:secret] vs protect_from_forgery :secret
On Oct 13, 5:20 pm, Marcelo de Moraes Serpa <celose...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> What I want to do is share the same session across many Rails applications. > All of them are using Rails 2.2.2. I know that, to share the session, it''s > (supposedly) just a matter of sharing the same key and secret among the > apps, like this: > > config.action_controller.session = { > :session_key => ''_apps_session'', > :secret => > ''71b94f37789bbedf9062616218dab005f2ffae65de2cac6313423a70eeff07189c7694d71d 5fc0996'' > } > > This being put in config/environment.rb of all the apps you want the session > to be share with. > > Now, some of the apps are returning in the HTTP response a session id > (_apps_session=big number) that is different, even though they have the same > session_key and secret. >There is more you need to do: the browser won''t sent the cookie from app1.example.com when the user''s browser makes a request to app2.example.com. There is an option called something like :session_domain that allows you to set the domain used by your session cookie (i think it changed to :domain for 2.3)> One thing that I noted, though, is that these apps are also providing a > :secret to protect_from_forgery, and the number is different from the number > passed to the :secret on config.action_controller.session[:secret]. > > What I would like to know is, if I''m setting the secret in > config.action_controller.session, do I need to pass it to > protect_from_forgery? Or are they secrets of different nature? >The two are mostly unrelated if my memory is correct. Fred> Thanks, > > Marcelo.
Apparently Analagous Threads
- form_tag and form_for cause #protect_from_forgery errors
- active_record_store sessions does not pass a :secret to #protect_from_forgery in Rails 2.0.0 Preview
- [HELP]No :secret given to the #protect_from_forgery call
- InvalidAuthenticityToken problems with my login form
- help - updated from 1.2.5 to 1.2.6 and getting undefined method 'session=' for ActionController::base